topic RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC in ExtremeWireless (General)

NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Michael_Kirchne — Thu, 06 Aug 2015 17:56:00 GMT

Hi Community,

I have a little issue withe NetSight / NAC 6.3 with EAP-TLS.

If the CN in the client certificate equals the MAC address, then the username field is empty.

Otherwise the the filed is filled:

RADIUS / Certificate Diagnostics (CN=MAC):
User-Name = "00-1A-E8-27-76-8A" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x7077081978e6055d5931c04285fc9f93 EAP-Message = 0x029100060d00 Message-Authenticator = 0xa8aaa0067409760bc450db9db1a2a7c4 ETS-Outer-Tunnel-Username = "00-1A-E8-27-76-8A" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "610f05e900010000001f" TLS-Client-Cert-Expiration := "170806112608Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify Deutschland GmbH & Co. KG/OU=PSS UCC 3.2/CN=00-1A-E8-27-76-8A" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5A:60:B4:7E:F7:36:B7:22:F1:39:31:8C:B1:6B:61:BF:BE:85:BE:7D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
RADIUS / Certificate Diagnostics (CN!=MAC):
User-Name = "00-11-22-AA-BB-CC" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xda612f8ad24a226d68a952489ecc2114 EAP-Message = 0x022b00060d00 Message-Authenticator = 0xf9175123bf64dac6666667d70b4d4fae ETS-Outer-Tunnel-Username = "00-11-22-AA-BB-CC" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "6153011a000100000020" TLS-Client-Cert-Expiration := "170806124023Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify/OU=PSS UCC 3.2/CN=00-11-22-AA-BB-CC" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "54:7C:C6:4A:3C:D5:F0:C0:F0:D3:14:40:67:33:79:E5:F6:AF:29:0D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
Hope anyone has an idea why the username is not extracted correctly.

Best Regards
Michael

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Mike_Thomas — Thu, 06 Aug 2015 18:29:00 GMT

Hi Michael,
1. Is the behavior different than in 6.2.x.x?
2. The radius output attribute user-name and TLS-client-Cert-Common name are mac's in both cases. Are you certain that the second one displayed the username, and the first did not?
3. The conflicting info looks that the screenshot shows the host MAC-address as "76-7A" in both cases.

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Michael_Kirchne — Thu, 06 Aug 2015 18:42:00 GMT

Hi Mike,

thanks for your reply.
1. I can't tell you for sure - my LAB equipment is running NetSight 6.3.0.142 right now.
2. Yes, first case was MAC=CN and with the second case I was trying a username which is a MAC but does not eual the MAC of the device.
-> Yes I'm certin. I checked with serveral certificates issued by different CAs.
3. Yes, both cases were the same device (phone). Just the certificates were different.

Case 1:
CN=MAC e.g. CN=00-1A-E8-27-76-8A or CN=001AE827768A or CN=00:1A:E8:27:76:8A

Case 2:
CN!=MAC e.g, CN=00-1A-E8-27-76-8A.demo.com or any other CN

Hope that helped to clear things up.

I came across that issue while I was testing our Phone Certificate Deployment in my lab.

Regards
Michael

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Mike_Thomas — Thu, 06 Aug 2015 19:06:00 GMT

Which case displays the username? Which is the mac of the device? Both show the mac as the same, but username is different in the pics. case 2 appears to work, correct?
first
User-Name = "00-1A-E8-27-76-8A"
TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A"
second
User-Name = "00-11-22-AA-BB-CC"
TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC"
The source appears to be 76-8A in both cases, so it's confusing. We may need to open a case so you can send in those certificates I guess, traces and some debug which don't belong here, but maybe we are actually not looking at the right info.

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Michael_Kirchne — Thu, 06 Aug 2015 19:12:00 GMT

Hi Mike,

Case 2 displays the username but that username "00-11-22-AA-BB-CC" is not correct. It was just for testing purpose to see wheter or not NAC ignors MAC like usernames in general or only if they equal to the MAC address.

The MAC address of the device is: 00-1A-E8-27-76-8A
The username which should be in the certificate is: 00-1A-E8-27-76-8A

But as you see NAC does not display the username if the CN equals the MAC.

Alright I will open a case.

Thanks a lot 🙂

Best Regards
Michael

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Ronald_Dvorak — Thu, 06 Aug 2015 22:34:00 GMT

My goal was to see whether I run into the same issue with EAP PEAP.
Setup: 802.1X WLAN service, NAC 6.3, Win AD/LDAP, EWC 9.21.

So instead of my normal username "dvorakr" I've done a copy of the user in AD and used the MAC as the username = "2477033BD329"

In that case I can't connect to the WLAN.
NAC client state is "reject" and the reason is that the authentication is MAC EAP-MD5 instead of 802.1X PEAP.

I've tried it with Cisco Anyconnect and also the build in Win7 client and both are set to PEAP.

So I've created another account on my AD with the MAC but changed the last digit to an 8 = not my WLAN MAC anymore and I'm able to connect.

Looks like there is something going wrong if the username = MAC.

I can't tell whether that is related to the WIN AD/LDAP or the controller or NAC.

-Ron

RE: NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Michael_Kirchne — Fri, 07 Aug 2015 14:13:00 GMT

Hi Ron,

I also hat the issue with MAC EAP-MD5. I had to disable MAC EAP-MD5 in the Advanced AAA Config. After that I successfully authenticated via EAP-TLS.

If you're not using MAC EAP-MD5 for MAC Authentication you could also disable it and give it a try.

Best Regards
Michael